[Techtalk] Re: iptables help needed ...
txjulie at austin.rr.com
txjulie at austin.rr.com
Fri Dec 20 13:33:55 EST 2002
Raven Alder wrote:
>
> Heya --
>
> Quoth txjulie at austin.rr.com (Thu, Dec 19, 2002 at 10:41:46PM -0600):
> > On Tuesday I tried to switch from ipchains to iptables for a
> > firewall. Apparently I did something very wrong because last
> > night I got hacked and root-kitted and all sorts of bad things.
>
> Any idea of how it happened? (Root's .bash_history or
> something? Signatures in the logs?) Knowing how they got in will
> help prevent it happening again. A good firewall is a thing of
> beauty, but if the service they exploited is one that's allowed
> through the firewall then you're still in trouble.
It was pretty trick. It seems they came in via some hole in sshd
and then deposited a =huge= root-kit. It was hard to figure out
exactly what happened because so many programs were changed. For
example, "ls" wouldn't show any of the files in the root-kit, or
at least, wouldn't show the more interesting ones.
My guess is that I left access to sshd open to the world. Very
few other services were enabled, although the previous firewall
was quite effective at keeping everyone out -- except the IBM
proxy server and a friend's box in Florida. When I switched to
iptables I had to leave a few more things open, and my guess is
that I left entirely too much open.
> > I'd love to send y'all the iptables rules I used, but I had to
> > reinstall this thing -- I didn't want to risk backing up my
> > new files only to include my new rootkit infestation ...
>
> Yeah -- levels of appropriate paranoia. [grins] Hope you had
> recent backups.
Recent enough -- but /, /usr, /var and friends were too trashed,
and it's faster to re-install and be done with it than dredge up
the backups, which have to be restored from DVD via a machine
in the kitchen. I've not bothered restoring anything from them
yet as they only contained configuration information which was
recreated during the re-install and the old firewall rules, which
I have to get rid of on account of needing features which are
only present in iptables. Mostly it was just very embarassing.
> > So ... could y'all be so kind as to help? Please? I feel
> > like a dope ;-(
>
> Sure. What is going to be behind the firewall, what did you
> want to let through, and what did you want to keep out?
Things I want to let in are ssh, vnc (ports 5901 through 5910)
from two different machines, and ftp from those same two machines.
I'm not sure what I want to let through just yet -- the old firewall
rules allowed everything out and only pre-existing connections
back in, plus DNS responses from wherever.
What =must= work is ICMP has to be masqueraded. I use NAT inside
the house on a couple of 192.168.x/24 networks. What I was trying
to make work is an AT&T VPN gadget which idiotically tries to
ping its destinations before attempting to connect to them. Which
is =retarded=. ipchains doesn't handle ICMP properly, so the VPN
was giving it after the pings failed -- even though it could have
opened a TCP connection to them.
--
Julianne Frances Haugh Life is either a daring adventure
txjulie at austin.rr.com or nothing at all.
-- Helen Keller
More information about the Techtalk
mailing list